Sorry if this isn’t the right thread but we have a self-hosted Gitlab CE installation and we believe it’s been attacked. There have been several users who have had their accounts locked out from too many attempts over the past few months, even though they are legacy users who didn’t use it. We turned on 2FA and deleted the legacy accounts. From then, there were only 2 user accounts in the installation.
Last Friday, we noticed some accounts with random names managed to appear, including one with admin access; we shutdown the server and tried to do a post-mortem. The api_json, application_json and audit_json logs all fail to reveal how these accounts showed up and even if/when/how they managed to get access. Additionally, the api_json log doesn’t seem to show the hackers being successful in doing a pull of our code; it’s as if the accounts showed up magically. What we did notice is that the accounts that showed up later had previously been failed login attempts. Is it possible Gitlab, upon a failed attempt, recorded them as users?
We did manage to be behind on updating and were on version 12. Is there any known vulnerability that allowed arbitrary user accounts to be created?
It’s a bit odd but I am not sure where to start. Is this something that should be logged as an issue? The support page pointed to the community forum.